Cloudflare has addressed a security vulnerability impacting its Automatic Certificate Management Environment (ACME) validation logic that made it possible to bypass security controls and access origin servers.
“The vulnerability was rooted in how our edge network processed requests destined for the ACME HTTP-01 challenge path (/.well-known/acme-challenge/*),” the web infrastructure company’s Hrushikesh Deshpande, Andrew Mitchell, and Leland Garofalo said.
The web infrastructure company said it found no evidence that the vulnerability was ever exploited in a malicious context.
ACME is a communications protocol (RFC 8555) that facilitates automatic issuance, renewal, and revocation of SSL/TLS certificates. Every certificate provisioned to a website by a certificate authority (CA) is validated using challenges to prove domain ownership.
This process is typically achieved using an ACME client like Certbot that proves domain ownership via an HTTP-01 (or DNS-01) challenge and manages the certificate lifecycle. The HTTP-01 challenge checks for a validation token and a key fingerprint located in the web server at “https://
The CA’s server makes an HTTP GET request to that exact URL to retrieve the file. Once the verification succeeds, the certificate is issued and the CA marks the ACME account (i.e., the registered entity on its server) as authorized to manage that specific domain.
In the event the challenge is used by a certificate order managed by Cloudflare, then Cloudflare will respond on the aforementioned path and provide the token provided by the CA to the caller. But if it does not correlate to a Cloudflare-managed order, the request is routed to the customer origin, which may be using a different system for domain validation.
The vulnerability, discovered and reported by FearsOff in October 2025, has to do with a flawed implementation of the ACME validation process that causes certain challenge requests to the URL to disable web application firewall (WAF) rules and allow it to reach the origin server when it should have been ideally blocked.
In other words, the logic failed to verify whether the token in the request actually matched an active challenge for that specific hostname, effectively permitting an attacker to send arbitrary requests to the ACME path and circumvent WAF protections entirely, granting them the ability to reach the origin server.
“Previously, when Cloudflare was serving an HTTP-01 challenge token, if the path requested by the caller matched a token for an active challenge in our system, the logic serving an ACME challenge token would disable WAF features, since Cloudflare would be directly serving the response,” the company explained.
“This is done because those features can interfere with the CA’s ability to validate the token values and would cause failures with automated certificate orders and renewals….
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
